Malvertising, or malicious advertising, occurs when malware, through the injection of malicious code into online display ads, exposes user networks and connected devices to the potential risk of infection.
Online ads are produced by advertising networks, which are generally unaware they are serving malicious content. In the attacks revealed by GeoEdge, a mobile advertising cybersecurity company, targeted users aren’t even required to click on the infected ad or visit a malicious page for the attack to occur on home network devices.
GeoEdge had uncovered a global-scale malvertising attack, the first ad-based cybercrime aimed specifically at home-network-based IoT devices. Its security research team has identified both its origins (from bad actors in Slovenia and Ukraine) and the overall attack vector.
The attack vector is the first of its kind to use online advertising to silently install apps on home Wi-Fi-connected IoT devices. The hackers possessed a basic understanding of device API documentation, some JavaScript knowledge, and introductory online advertising skills.
The broad IoT attack involves the ability to manipulate IoT devices, download apps without users’ consent, and risks theft of personal information and monetary instruments, and even tampering with smart locks and surveillance cameras. According to GeoEdge, antivirus apps and even firewalls are not sufficient to block the attacks.
According to GeoEdge’s CEO, Amnon Siev, “At this point, we cannot disclose quantitative figures, graphs, or examples of devices showing the attack yet as this is still an ongoing effort we are working on in collaboration with the device’s company. What we can share at this point is that your IoT devices are exposed to malvertising. They can be installed with applications you didn’t ask for, can be accessed from afar by malvertisers. And this is all the result of a malicious ad which was showcased to the user on his secured home network.”
Siev adds that the attackers are using programmatic advertising as a distribution channel for the attack because it’s inexpensive and easy to deploy.
Even if end users are aware of IoT security and have done their part to secure their connected home devices, it may not be enough. There are several ways that attackers can break into a smart home network, and malvertising is just one of them.